Encryption system key distribution method and apparatus

ABSTRACT

Encryption systems typically rely on the distribution of cipher keys between terminals for scrambling and unscrambling transmitted messages. Elaborate security precautions are necessary to protect the cipher keys since a compromise of the key could result in a compromise of the transmission. There is disclosed a key distribution method and apparatus which uses a channel from identified terminals to a central key distribution center for the establishment, on a one-session basis, of the key which is to be used for the next session between those terminals. The key establishing link is itself encoded using a cipher key which changes after each usage. Provision is made to verify, for each new connection, that a compromise has not priorly occurred.

BACKGROUND OF THE INVENTION

This invention relates to the establishment and distribution of cipherkeys in a cryptographic system.

Cryptographic systems are now gaining favor, both for voice as well asdata transmission. In such systems it is typically necessary that theparties to a particular transmission each have cryptographic keys toencrypt and decrypt the cipher transmissions. It follows that acompromise to a cryptographic key will in turn reduce the security ofsubsequent transmissions involving that key. Thus, great precautionsmust be taken to distribute the cryptographic keys among the systemusers. Such distribution, for example, using secure couriers to manuallyupdate the keys may be possible when the community of users is priorlyknown but becomes increasingly more difficult when either the number ofparties is large or parties who seldom communicate with each other wishto do so. The responsibility for keeping the cryptographic key secureafter distribution rests with each user and the longer the key remainseffective the greater the risk of it becoming compromised.

Thus, from a practical point of view it is desirable to have thecryptographic key effective for a single session, requiring a new keyfor each new session. When couriers are used, however, this becomescostly and time consuming, especially when a party wishes to place manysecure calls or have many secure sessions.

Attempts have been made to electronically distribute cryptographic keysbetween users from a key distribution center. One such example is shownin Rosenblum U.S. Pat. No. 4,182,933, issued Jan. 8, 1980. While suchattempts have found some degree of success they all suffer from theproblem that they are subject to compromise because they usually rely onthe security of the transmission media between the key distributioncenter and the terminal for the distribution of session key information.Thus, an intruder need only compromise the key distribution channel toobtain subsequent session keys. Elaborate systems have sometimes beenestablished to detect such a compromise, all of which are either costlyor minimally effective.

Another problem with key distribution centers is that the center canderive the information used to decrypt the secure data exchange betweenusers and thus could theoretically monitor the secure sessiontransmission.

SUMMARY OF THE INVENTION

We have solved the above-identified problems by arranging a keydistribution center (KDC) which communicates over a channel with theindividual terminals. The channel, or data link, can be a dial-uptelephone line, a packet-switched data network, dedicated lines, orother communications channel types, over which secure communication ispossible. The terminals operate in conjunction with the KDC to establisha session key for secure transmission between two or more terminals. Thesession key at a terminal is constructed from information generated atthat terminal in conjunction with information communicated from the KDCand is known fully only to the terminals involved in the session and notto the KDC. Thus, when two terminals have established a session key,they may securely communicate with each other for the duration of thatsession.

At the conclusisons of the secure data exchange, the session keys shouldbe destroyed, and when either station wishes to establish additionalsecure communication either between themselves or to other stations, anew session key will be established in cooperation with the KDC.

Both the terminal-KDC channel and the KDC-terminal channel, as mentionedabove, are secure links in that they are protected by cryptographic keyinformation which is unique to each terminal and to the KDC on aone-call-only basis. Accordingly, whenever a connection is establishedbetween a terminal and the KDC, each has information previously stored,referred to as terminal-unique key information, and this priorly storedinformation is used to establish both new KDC-terminal link keys,referred to as call-setup key information, and new session keyinformation. During the establishment of the session keys, the terminaland the KDC each modify their respective terminal-unique key informationso that on a next call between the KDC and the same terminal, this newkey information must be used in order to establish a securecommunication path. The precise manner in which this happens will bediscussed hereinafter. In this manner, an intruder on the keydistribution between a terminal and the KDC must be adding andsubstituting information on the channel from the beginning and must stayon the channel throughout several calls, since once the intruder leavesit is possible to detect, at least by hindsight, that a compromise hasoccurred. This is a result of the fact that the intruder is substitutingrandom information that may be monitored.

One aspect of our system is that an intruder, in order to obtain usefulinformation exchanged between two valid users of the system, may gainthe terminal-unique information that is stored at the terminal, and hemust also gain the terminal-unique information that is stored in the keydistribution center for that specific terminal. The intruder then, onthe very next key exchange involving that terminal and the keydistributing center, must actively participate, i.e., substitute his owngenerated key information on that channel. Then the intruder must alsosubstitute information on the channel between the two communicatingterminals, and also must continue the above substitutions on thechannels for an indefinite period of time or risk detection.

BRIEF DESCRIPTION OF THE DRAWING

These attributes of our invention, together with the operation andutilization of the invention in a specific embodiment, will be morefully apparent from the illustrative embodiment shown in conjunctionwith the drawing which:

FIG. 1 shows an overall system using a KDC and several terminals;

FIG. 2 shows an implementation of the initial establishment ofinformation in both the KDC and the terminal within a secure area;

FIGS. 3 and 4 show a flow chart detailing what occurs within eachterminal;

FIG. 5 shows a flow chart detailing what occurs within the KDC;

FIGS. 6-9 show, in sequence, an implementation of the establishment ofkey information and control data within each terminal; and

FIGS. 20-28 show, in sequence, an implementation of the establishment ofkey information and control data within the KDC. In this system we havea variety of terminals.

GENERAL DESCRIPTION

FIG. 1 shows a number of terminals, A, B and X, connectable to eachother and to KDC 10 via some transport network (e.g., public switchednetwork). These terminals should be able to set up a secure channelbetween themselves in order to exchange secure information. In thisprocess they must both communicate with the KDC. The transmission line12 from terminal A is connected through link 16 to transmission line 13to initiate a secure call to terminal B. Once the users decide toinitiate a secure data exchange, each terminal sets up a transmissionline, such as link 14 for terminal A, to the KDC.

An exchange of information will then occur from terminal A to the KDCand from terminal B to the KDC. Once the KDC has received both of thesemessages, it will formulate two distinct messages that will be sentrespectively to terminal A via link 14 and to terminal B via link 15.These individual messages will contain session key information, as wellas other pertinent information described below. This session keyinformation has originated at terminal A and at terminal B and isexchanged through the KDC. Once the exchange has taken place between thetwo terminals and the KDC, link 14, which is the key distribution linkbetween terminal A and the KDC, is then taken down, and key distributionlink 15 between the KDC and terminal B is taken down. Link 16, which isthe session link between terminals A and B, is re-established. Furtherkey information is exchanged based on the prior partial exchanges so asto derive independently at both terminals the session key, and finallyusing that session key information, data (i.e., digital data or digitalvoice) can be transmitted in secure fashion on data link 16.

Since further session information was derived between terminals A and Bindependent of the KDC, a malicious operator of the KDC cannot derivethe key information used to decrypt the secure messages sent betweenterminals A and B without actively substituting information on thesession channel.

Also, at this point, as will be seen, contained within the messages thatwere sent between the KDC and the terminals was new terminal-unique keyinformation to secure the next key distribution between the terminals ofthe KDC. This new information is independent of the previous informationand therefore is unique to it.

DETAILED DESCRIPTION

Turning now to FIG. 2 the initial setup between the terminal and the KDCmust be made in an authentic manner such that the informationtransported to the terminals from the KDC is not modified. Oneimplementation is where the transport is made within a secured area,such as secured area 23. Since subsequent communications between the KDCand each terminal depend upon the prior communication, it is importantthat at some period in time they both contain the proper information forstart-up, and ideally this is done in the secured area so that there canbe no breach of security.

On the initial system setup (based on the secured area implementationshown in FIG. 2) the terminals are brought within the secured area 23,and the KDC can generate terminal-unique key pairs for each terminal.The exact function of these key pairs will be described later. The KDCwill generate a terminal-unique decryption key for each terminal and thecorresponding encryption key. This encryption key must be placed in theterminal-unique key storage for each terminal with the correspondingdecryption key stored in the terminal-unique key storage at the KDCunder the address of that terminal. In addition, a random number, Ua forterminal A, unique to each terminal is stored in the verificationinformation storage at the KDC also at the address of this terminal.This same random number must be loaded and stored in the verificationinformation storage in the terminals and will be used for a verificationcheck on the first call setup to the KDC.

FIGS. 3 and 4 are flow charts representing the action that occurs withina terminal, for example, terminal A.

FIG. 5 is a flow chart representing what actions occur within the keydistribution center.

The discussion which will follow is a discussion with respect to a timesequence between the terminal and the KDC to illustrate both howterminal-unique keys are updated, and how call-setup and session keysare distributed. This discussion will occur with respect to FIGS. 6through 28. FIGS. 6 through 19 show the apparatus within the terminaland show on a step-by-step basis how the call-setup keys and the sessionkeys are established. FIGS. 20 through 28 show the apparatus within theKDC, each figure showing a specific operational aspect of theestablishment of the keys.

Turning now to FIG. 6 we will discuss the specific apparatus used in theterminals. The actual generation of the numbers will be discussedhereinafter. Apparatus 72 is a random number generator which is a deviceor algorithm that produces bits (zeros and ones) that are equally likelyto occur. This generation may be based upon a noisy diode and any numberof algorithms can be used to attain statistically independent output of0's and 1's. The more equally likely these random number generators are,i.e., the more random this function is, the higher the security levelwill be. The output of the random number generator is a serial stream ofzeroes and ones where the correlation between one or a group of bits iszero. The bidirectional asymmetric key generator, apparatus 73, takes asinput a random number from random number generator 72 and will computean encryption key and the matching decryption key such that theencryption key cannot be derived from the decryption key and vice versa.The generation of these keys as an example could be done in accordancewith the RSA algorithm, as described by Rivest, Shamir, and Adleman in apaper entitled, "A Method for Obtaining Digital Signatures and PublicKey Crypto Systems,38 which publication is hereby incorporated byreference, which appeared in CACM, Vol. 21, No. 2, February, 1978, onpages 120-126.

Apparatus 74 implements a bidirectional asymmetric cryptographicalgorithm (e.g., the RSA algorithm) that is, a cryptographic algorithmbased on two distinct keys where the encryption key cannot be derivedfrom the decryption key and vice versa. Apparatus 74 has two inputs (Iand K) and one output (O). The input I is the bits to be encrypted ordecrypted. The input K is the key, either encryption or decryption (theRSA algorithm performs the same function regardless of encryption ordecryption). The output will be the inputted bits encrypted or decryptedwith the supplied key. This algorithm is also described in theaforementioned paper. Functionally, apparatus 75 is the embodiment oftwo functions f and g such that: given f(R, P) and P, one cannotdetermine R; g(R1, f(R2, P), P)=g(R2, f(R1, P), P); and given f(R1, P),f(R2, P), and P one cannot determine R1, R2, or g(R1, f(R2, P), P).

Apparatus 75 performs the above functions via, for example, theDiffie-Hellman algorithm, which is described in a paper by Diffie andHellman entitled "New Directions in Cryptography," published by the IEEETransactions on Information Theory, Vol. IP-22, November, 1976, on pages644-655, which is hereby incorporated by reference. The input to thisalgorithm is a base Y, a modulus Q and an exponent EXP. The output is Yraised to the EXP power modulus the Q. The functions f and g are thesame as discussed above in this example.

The storage requirements are depicted by registers 71, 70 and 76. Theseare the semi-permanent register 71 which contains both the verificationinformation Va and the terminal-unique key information Eak used toencrypt messages to the KDC. Temporary register 70 can be in any stateinitially and is used during the interaction with the KDC on a securecall setup. The address register permanently contains the address (i.e.,a public piece of information that uniquely identifies A to the KDC) ofthe terminal (terminal A in this case) where it is located. During asecure session (or call) setup, the address register will also containthe address of the terminal which is being called. The registerscontaining verification information and encryption and decryptioninformation may vary in size depending upon the specific algorithm usedbut in this example should be on the order of 1,000 bits each.Information pertaining to the symmetric session key and the randomnumber should be on the order of 100 bits, and the address informationwill be dependent upon a terminal numbering plan both unique and knownto the KDC. For example, it could be the telephone number of thespecific terminal or it could be the serial number of the terminal.

Turning to FIG. 20 we will now discuss the working of the modules withinthe key distribution unit. The address register at the KDC, register200, performs the same function as the address register at the terminal.The RSA function at the KDC, apparatus 210, performs the same functionas the RSA function at the terminal, as previously described. The randomnumber generator, apparatus 211, performs the same function as therandom number generator at the terminal previously mentioned. Thegenerator of the encryption and decryption keys apparatus 212 has thesame function as described previously in the terminal. Apparatus 213 isa generator of the parameters used as inputs to the apparatus 75described previously. For this particular example these parameters arethe base and modulus for the Diffie-Hellman algorithm. It requires asinput the output of the random number generator, apparatus 211. Themethod of generation is described in the aforementioned paper by Diffie.

There is a semi-permanent storage at the KDC, registers 214 and 216,which stores verification information Va and terminal-unique decryptionkey information Dak between calls. Semi-permanent registers 215 and 217are used to store information during the call setup progress. Theseregisters have the same functions as described previously for theterminal.

System Operation

The operation of the system will now be explained beginning with FIG. 3.Initially the key management equipment in the terminal will be in thewait state until a request is received from the terminal controllerprocessor to initiate a secure call. At this point, as discussed, thereis stored in the terminal the terminal-unique encryption key that willbe used to encrypt information that is sent to the KDC. Also stored isthe verification information. These two pieces of information werestored from the last call (or from the initial setup) that was made bythis terminal. This is shown in FIG. 6 as Va and Eak.

Once a request is received to initiate a secure call, the address of thecalled party must be given to the key management equipment via thecontroller processor. This is seen in FIG. 3, box 31. At this point,there are generated new call-setup keys. This is shown in box 32 and inFIG. 7 as Eka and Dka. In box 33 there is shown the generation ofpartial session keys that will be used to encrypt data on the link fromterminal B to terminal A. This is shown in FIG. 8 as Eba and Dba.

At this point, the verification information is updated using the keysthat were just generated. The update function is specified as follows:

    Va1'=f(Va1, E1) and Va2'=f(Va2, E2)

where ' denotes updated and Va1Va2=Va. Va is the stored verificationinformation and the E's are the just-generated encryption keys. Theproperties of f are as follows:

(1) for every V, E1, E2: f(V, E1)≠f(V, E2) where E1≠E2;

(2) for every V21, V2, E: f(V1, E)≠f(V2, E) where V1≠V2;

(3) given V and V'≠f(V, E) it is difficult to determine E; and

(4) in the case where E is an asymmetric encryption key, D cannot bedetermined from E.

For this example, Va'=Va1'|Va2' where Va=Va1|Va2, Va1' is equal to Va1encrypted with Eka, and Va2' is equal to Va2 encrypted with Eba. Thisupdate process is depicted in FIG. 9. The first half of the verificationinformation Va1 is read from storage and provided as an input to the RSAalgorithm. The key that is used to encrypt this information is thecall-setup key, Eka, that was just generated. This becomes Va1' andoverwrites Va1 as seen in FIG. 10. Next, the second half of theverification information Va2 is encrypted using Eba just generated. Theresult Va2' overwrites Va2 in the storage register. This is shown inFIG. 3, box 34, and in summary, the updated verification information Va"is the verification information stored from the previous call, or givento the terminal on the initial setup from the KDC, where half isencrypted using the encryption part of the partial session key generatedon this call and the other half is encrypted using the call-setup keyfor that call.

At this point, as shown in box 36, FIG. 3, and in FIG. 11, the messagecan be formatted to the KDC. The contents of this message are theencryption parts of the two keys that were just generated. Both thepartial session key to be established between terminal A and B, Eba, andthe new call-setup key Eka are encrypted using the terminal-uniqueencryption key Eak stored from the previous call from the KDC to theterminal or given to the terminal on the initial setup. At this point,the information that can be destroyed from the terminal is theterminal-unique encryption key, Eak, stored at the terminal from theprevious call, and both the call-setup encryption key, Eka, and thepartial session encryption key, Eba, that were generated by theterminal. The encrypted message is then appended to the address, A, ofthe originating terminal followed by the address, B, of the calledterminal. This message is now sent to the KDC.

The terminal now will enter a wait state waiting for the information tobe received from the KDC. This is depicted in box 37 of FIG. 3.

As shown in FIG. 5, the KDC will be in a wait state until a message isreceived from terminal A. This is shown in FIG. 5, box 50. Once themessage is received, the KDC reads the address information within themessage into the address register which gives it the index of thedecryption key that must be used to decrypt the message. The KDC has inits storage from the previous call the matching verification informationfor each terminal and the terminal-unique decryption key for eachterminal. This is depicted in FIG. 20, boxes 214 and 216.

The message from terminal A is decrypted using the terminal-uniquedecryption key corresponding to that terminal, Dak. The keys, both thenew call setup key Eka and the partial session key Eba (to bedistributed to terminal B) is temporarily stored in the KDC memory asdepicted in FIG. 21.

At this point, as shown in FIG. 21, the KDC can update its verificationinformation in the exact same manner as the terminal. This is done byencrypting each half of the stored verification information Va with thereceived session key information Eba and the received call-setup keyinformation Eka, shown in FIG. 23. This produces the update verificationinformation Va".

The key distribution center, as shown in FIG. 24, will now generate abidirectional asymmetric encryption/decryption key pair, Eak', Dak'. Theprimes denote updated information. Eak' will be distributed to terminalA to be used on the next call setup to the key distribution center. Thedecryption key Dak' overwrites the decryption key Dak that was storedfrom the previous call.

Two other pieces of information are also generated at this time. Theseare the parameters that will be used by the terminals to createsymmetric session keys; in this case they are the parameters of theDiffie-Hellman algorithm. One is the base Y and the other is the modulusQ as previously described. Functionally, the amount of information thatis generated at the KDC and sent to each terminal may vary dependingupon the precise algorithm. This information is stored in temporarystorage and will be used as part of the message sent back to bothterminal A and terminal B. This generation process is depicted in FIG.25 and refers to the flow chart box 55, FIG. 5. By this point, as shownin FIG. 26, the KDC must have received a message from terminal B inorder to complete the call to terminal A. If not, the KDC process forterminal A must wait until the process for terminal B has reached thispoint. This is so it can give terminal A the partial session keyinformation Eab generated at terminal B and also to be able to giveterminal B the partial session key Eba generated at terminal A.Coordination between the processes must take place so that the sameparameters generated by one process overwrites the parameters generatedby the other process. This insures that the parameters sent to theterminals for the purpose of generating symmetric session keys are thesame.

Once the internal exchange is made between the A registers and the Bregisters to coordinate the information inside the key distributioncenter, the messages can now be formatted for the terminals. This isshown in FIG. 27. The message to terminal A will consist of the newterminal-unique key information Eak' that will be used on a subsequentcall to the KDC. It will also consist of the partial session keyinformation Eab which it received from terminal B. It will also consistof the verification information Va" or a known reduction of Va" in termsof the number of bits. It will also consist of the base Y and themodulus Q of the Diffie-Hellman algorithm. These five pieces ofinformation will be encrypted using the call-setup key Eka received inthe message from terminal A. The KDC destroys Eka, Eba, Eak', Y, and Qcorresponding to terminal A and destroys Ekb, Eab, Ebk', Y, and Qcorresponding to terminal B. The KDC will then send this output messageback to terminal A. An analogous encrypted message is sent from the KDCto terminal B. At this point the KDC is finished with its processing.

FIG. 28 shows the configuration of the KDC after the call to terminal Ahas been dropped. The KDC has updated verification information Va" andupdated terminal-unique decrypt key information Dak' which will be usedon a subsequent call between terminal A and the KDC.

Referring back to the flow chart, FIG. 3, for terminal A, the keymanagement equipment at the terminal has been in a wait state while theKDC has been functioning. FIG. 12 shows the key information stored atthe terminal during this wait state. It is the updated verification Va"information and both decrypt keys Dka and Dba corresponding to thepreviously generated encryption keys.

FIG. 13 shows how the information received from the KDC is used inaccordance with the box 38, FIG. 3. The call-setup decryption key Dka isused to decrypt the message received from the KDC. The five values(previously discussed) sent from the KDC are now used in the followingway. The first piece of information is the new distribution key Eak'that is stored in the semi-permanent register 71 and will be used on afollowing call made from this terminal to the KDC. It is the updatedterminal-unique encryption key. The second piece of information is thepartial session key Eab which was generated at B and sent through theKDC to terminal A. The third piece of information is the updatedverification information Va", which can now be compared with theverification information stored at terminal A. The fourth and fifthpieces of information are the parameters to the Diffie-Hellmanalgorithm, the base Y and the modulus Q, which terminal A stores intemporary storage.

Referring to FIG. 4, box 40, at this point the terminal will compare theverification information it received from the KDC and either theverification information which is presently stored or some knownreduction of that verification information--FIG. 14. If this matches,then the process will continue as normal. If this does not match, analarm could be given to the terminal controller processor of a potentialintruder threat on a previous call.

Assuming a success of the compared verification, the terminal can nowtake down the channel to the KDC and establish a channel to terminal B,if not already established. At this point, terminal A and terminal B cancommunicate data securely using the asymmetric session keys Eab and Eba.If a symmetric session key is needed, the following steps can be taken.The calculation of the message to be sent to terminal B is shown in FIG.15. First, the base Y and modulus Q of the Diffie-Hellman algorithm areused along with a random number Ra generated by the random numbergenerator 72. These inputs are given to the Diffie-Hellman algorithm 75and the output is then an input to the RSA function 73. The randomnumber Ra is also stored in temporary storage. Eab is used as the key tothe RSA function 73. At this point the session key information Eabreceived from terminal B and the base number Y may be destroyed. Theoutput of the RSA algorithm is sent to terminal B.

Terminal A' key management equipment will now enter a wait state shownin FIG. 4, box 44, waiting for a message to be returned from terminal B.The idle state is depicted in FIG. 16 and in storage is the decryptsession key Dab which terminal A generated, the modulus Q of theDiffie-Hellman algorithm generated by the KDC and the random Ra numberthat was generated by terminal A.

As shown in FIG. 17, upon receipt of the message from terminal B,terminal A will decrypt the message using its decryption key Dba storedfrom the initial generation of the partial session key. Dba can now bedestroyed. The output of this will be fed into the Diffie-Hellmanalgorithm as the base. The exponent will be the random number Ra whichwas priorly generated and the modulus Q is also input into thealgorithm. The output of the Diffie-Hellman algorithm will be symmetricsession key information which will equal the session key informationthat terminal B has calculated. Q and Ra can now be destroyed.

At this point, terminals A and B have established symmetric session keyinformation between themselves that is not derivable by the KDC. Thiskey information may be used in a symmetric key algorithm like the DataEncryption Standard (DES) to encrypt data. What is stored now in theterminal until the next request for a secure session (or call), as shownin FIG. 18, is the updated verification information Va" and theterminal-unique key Eak' which it received from the KDC to be used toencrypt the next message to the KDC.

It should be noted that the actual generation of the desired data at theterminal and at the KDC is operative under control of a computerprocessor and is programmed in accordance with the flow charts shown inFIGS. 3-5 to perform the sequence of data transfers detailed herein.Such a processor, while not shown, can be any one of several well-knownmicroprocessors, such as for example, the Intel 8086 microprocessor,working in conjunction with the terminal and KDC apparatus shown anddetailed herein above.

It should also be noted that one skilled in the art could use differentencryption algorithms and different equipments to achieve the sameresults disclosed herein without departing from the spirit and scope ofour invention.

What is claimed is:
 1. A key distribution method for communicatingcipher keys between two terminals via a key distribution center, KDC,said method comprisingestablishing between any one terminal and said keydistribution center a terminal-unique cipher key for controlling thegenerating of session keys, cooperating by transmitting informationusing said established terminal-unique cipher key between said KDC andsaid one terminal on a subsequent connection between said KDC and saidone terminal to establish a session key for use by said one terminal ina subsequent secure transmission between said one terminal and a secondterminal, and changing said priorly established terminal-unique cipherkey in response to use of said priorly established terminal-uniquecipher key on said subsequent connection between said one terminal andsaid KDC.
 2. The invention set forth in claim 1 wherein said session keyis generated from the asymmetric exchange of information between saidone terminal and said KDC plus the subsequent exchange of informationbetween said first and second terminals.
 3. The invention set forth inclaim 2 wherein said session key at said one terminal is random withrespect to information at said KDC.
 4. The invention set forth in claim2 wherein said session key at said one terminal is underivable withrespect to any information at said KDC.
 5. A key distribution center forcontrolling the dissemination of session cipher keys between remotelylocated terminals, said center arranged for switched access to aplurality of said terminals, said center comprisingmeans forestablishing communication cipher keys between said center and each saidterminal having access thereto, each cipher key unique to each saidterminal, means operative when said terminals access said center forbidirectional asymmetrically exchanging information with said accessingterminals using, as a foundation for said exchange, said priorlyestablished communication cipher keys, and means responsive to saidexchanged information between said center and two of said terminals andthe subsequent bidirectional asymmetrical exchange of informationbetween said two terminals for allowing said two terminals to establisha session cipher key for secure transmission between said two terminals.6. The invention set forth in claim 5 wherein said key distributioncenter further comprising means for changing said establishedcommunication cipher keys as a result of said exchanged information. 7.The invention set forth in claim 5 wherein said cipher key establishingmeans uses information from a prior transmission from a particularterminal for establishing said cipher keys to said particular terminal.8. The invention set forth in claim 5 wherein said exchanged informationincludes information generated in part at said center for the randomgeneration of said session key allowing said session key to beunderivable with respect to any information at said center.
 9. A keydistribution center for controlling the distribution of cipher controlinformation among a number of terminals, said center comprisingmeans forindividually exchanging encoded information between any of saidterminals, said exchange for any particular terminal based partiallyupon a last information exchange between said particular terminal andsaid center, means for identifying at least two terminals whereencrypted session information is to be exchanged and for accepting fromsaid identified terminals certain encryption control information, andmeans for modifying, according to a preestablished pattern, acceptedinformation from said identified terminals and for communicating saidmodified information to the other of said terminals so as to allow eachof said terminals to thereafter establish, independent of anyinformation available at said center, a cipher key allowing said sessioninformation to be encrypted.
 10. An encryption terminal operable forcommunicating with other said terminals for the exchange of encryptedinformation, said encryption occurring under control of a sessionencryption key, said terminal includingmeans for establishing betweensaid terminal and a key distribution center a unique cipher key forexchanging information between said terminal and said center, means forstoring information pertaining to established exchanged cipher keys withsaid center, means for comparing said stored information againstinformation received from said center during an information exchange forverifying that the information on the last exchange to said center wasnot modified, and session means for enabling a secure transmission witha selected other terminal, said session means controlled in part by saidaccepted exchanged information.
 11. The invention set forth in claim 10wherein said terminal also includes means for modifying said uniquecipher key after each said information exchange with said center. 12.The invention set forth in claim 10 wherein said exchanged cipher keysare based, in part, on a bidirectional asymmetric information exchangewith said center.
 13. The invention set forth in claim 10 wherein saidsession means includes the establishment of symmetric session keys withsaid selected other terminal, said session keys derived by informationfrom said center, said terminal and said other terminal.
 14. Anencryption terminal operable for communicating with other said terminalsfor the exchange of encrypted information, said encryption occurringunder control of a session encryption key, said terminal includingmeansfor establishing between said terminal and a key distribution center aunique cipher key for exchanging information between said terminal andsaid center, means for storing information pertaining to establishedexchanged cipher keys with said center, means for exchanging informationwith said center, said information exchange enabled by said storedcipher key information, session means for enabling a secure transmissionwith a selected other terminal, said session means controlled in part bysaid information exchange, and means for modifying said unique cipherkey after each said information exchange with said center.
 15. Theinvention set forth in claim 14 wherein said exchanged cipher keys arebased, in part, on a bidirectional asymmetric information exchange withsaid center.
 16. The invention set forth in claim 14 wherein saidsession means includes the establishment of symmetric session keys withsaid selected other terminal, said session keys derived by informationfrom said center, said terminal and said other terminal.
 17. A cipherkey distribution method for controlling the dissemination of sessioncipher keys between remotely located terminals and a key distributioncenter, said center arranged for switched access to a plurality of saidterminals, said method comprisingestablishing pairs of communicationcipher keys between said center and each said terminal having accessthereto, each said pair being unique to each said terminal, exchanging,when one of said terminals accesses said center, information with saidaccessed terminal using, as a foundation for said exchange, said priorlyestablished communication cipher key, communicating to said terminal, inresponse to said exchanged information, other information allowing saidterminal to establish a session cipher key for use with an identifiedother terminal also having access to said center, said informationexchanged between said center and said terminal includes receiving fromsaid center the base Y and modulus Q of a Diffie-Hellman algorithm. 18.The invention set forth in claim 14 further including the step ofmodifying said communication cipher keys during each said informationexchange.